XADM: Error c10361df Occurs When Installing Active Directory Connector

When you install Active Directory Connector (ADC) when you are logged on as an account in a mixed mode child domain, you may receive the following error message:

This issue can occur if the account that you are logged on as is not a member of the Enterprise Administrator group.

NOTE: When this article refers to "native mode," it is referring to a Windows 2000 domain in native mode, not an Exchange 2000 organization in native mode.

To resolve this issue, install ADC in the child domain by using either of the following methods:

• Install ADC on a computer in the child domain by logging on to the computer using an account in the root domain that is a member of the Enterprise Administrator group.
  
  -or-
• Convert the root and child domains to native mode. The account in the child domain can then be added to the Enterprise Administrator group. Before you making this change, be sure you have taken the necessary steps to prepare your domains for the transition to native mode. You cannot reverse changes to the domains after they are converted to native mode.
  
  For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
  231273� Group Type and Scope Usage in Windows 2000

After you install ADC, you can use an account in the child domain to administer ADC even if it is not a member of the Enterprise Administrator group.

The Exchange 2000 release notes contain the following information:
To run setup for ADC, the account you are logged on as must be a member of the Enterprise Administrator group. However, if the root domain is a mixed mode domain, you cannot add other groups or user accounts from other domains to the Enterprise Administrator group.

If the root domain is in native mode and the child domain is in mixed mode, you can add an account from the child domain, but the group membership is not replicated to the mixed mode child domain.

To successfully run setup while logged on as an account in the child domain, both the root and child domain must be in native mode and your account must be a member of the Enterprise Administrator group.

When the root domain is in mixed mode, the Enterprise Administrator group type is "Security Group - Global". By definition, global groups cannot contain users or groups from other domains. In addition, you cannot add other groups in the same domain to a global group when the domain is in mixed mode.

When you change the domain to native mode, the Enterprise Administrator group type becomes "Security Group - Universal". Universal groups can contain other groups (global or universal) and user accounts from other domains.